[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] xen/blkif: avoid double access to any shared ri
From: |
Stefano Stabellini |
Subject: |
Re: [Qemu-devel] [PATCH] xen/blkif: avoid double access to any shared ring request fields |
Date: |
Mon, 23 May 2016 09:38:34 +0100 (BST) |
User-agent: |
Alpine 2.10 (DEB 1266 2009-07-14) |
On Mon, 23 May 2016, Jan Beulich wrote:
> Commit f9e98e5d7a ("xen/blkif: Avoid double access to
> src->nr_segments") didn't go far enough: src->operation is also being
> used twice. And nothing was done to prevent the compiler from using the
> source side of the copy done by blk_get_request() (granted that's very
> unlikely).
>
> Move the barrier()s up, and add another one to blk_get_request().
>
> Note that for completing XSA-155, the barrier() getting added to
> blk_get_request() would suffice, and hence the changes to xen_blkif.h
> are more like just cleanup. And since, as said, the unpatched code
> getting compiled to something vulnerable is very unlikely (and not
> observed in practice), this isn't being viewed as a new security issue.
>
> Signed-off-by: Jan Beulich <address@hidden>
Reviewed-by: Stefano Stabellini <address@hidden>
Added to my queue
> --- a/hw/block/xen_blkif.h
> +++ b/hw/block/xen_blkif.h
> @@ -79,14 +79,14 @@ static inline void blkif_get_x86_32_req(
> dst->handle = src->handle;
> dst->id = src->id;
> dst->sector_number = src->sector_number;
> - if (src->operation == BLKIF_OP_DISCARD) {
> + /* Prevent the compiler from using src->... instead. */
> + barrier();
> + if (dst->operation == BLKIF_OP_DISCARD) {
> struct blkif_request_discard *s = (void *)src;
> struct blkif_request_discard *d = (void *)dst;
> d->nr_sectors = s->nr_sectors;
> return;
> }
> - /* prevent the compiler from optimizing the code and using
> src->nr_segments instead */
> - barrier();
> if (n > dst->nr_segments)
> n = dst->nr_segments;
> for (i = 0; i < n; i++)
> @@ -102,14 +102,14 @@ static inline void blkif_get_x86_64_req(
> dst->handle = src->handle;
> dst->id = src->id;
> dst->sector_number = src->sector_number;
> - if (src->operation == BLKIF_OP_DISCARD) {
> + /* Prevent the compiler from using src->... instead. */
> + barrier();
> + if (dst->operation == BLKIF_OP_DISCARD) {
> struct blkif_request_discard *s = (void *)src;
> struct blkif_request_discard *d = (void *)dst;
> d->nr_sectors = s->nr_sectors;
> return;
> }
> - /* prevent the compiler from optimizing the code and using
> src->nr_segments instead */
> - barrier();
> if (n > dst->nr_segments)
> n = dst->nr_segments;
> for (i = 0; i < n; i++)
> --- a/hw/block/xen_disk.c
> +++ b/hw/block/xen_disk.c
> @@ -679,6 +679,8 @@ static int blk_get_request(struct XenBlk
> RING_GET_REQUEST(&blkdev->rings.x86_64_part,
> rc));
> break;
> }
> + /* Prevent the compiler from accessing the on-ring fields instead. */
> + barrier();
> return 0;
> }
>
>
>
>
>